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© A multiport repeater for a local area network 
installation has (in addition to its conventional func- 
tions) means for storing access rules for the items of 
equipment connected to it. It reads a portion of each 
frame, which may be all or part of the destination 
address segment and/or of the source address seg- 
ment and/or of the control segment of each incoming 
data frame, or it could be a frame or protocol iden- 
tifier incorporated in opening bytes of the data seg- 
ment. It compares the data that it reads with the 
stored access rules to determine whether the frame 
is permitted or not. If not, it corrupts the frame which 
it is in the course of re-transmitting, for example by 
overwriting it with meaningless digits. It may also 
report the source address, destination address and 
reason for deciding to corrupt the frame to the 
network controller. 




Xerox Copy Centre 



EP 0 431 751 A1 



Fig.2(cont) 




- <OeUY| - COMPARATORS 

I 



ADDRESS OATA BASE |bs=? 
18^ 



TIMING 



CONTROL 



STATE 
M/C 



FROM PORT l/F 
S1 -SN 



fix OATA 
.TOOTHER 
MODULE 

^ CLOCK 
TOOTHER 
MODULE 



-ILLEGAL 
FRAME 
"REASON 

ADDRESS 

'OOWN 
LOAD 



TO 

(NFO 

BUS 



PORT 10 



2 



EP 0 431 751 A1 



REPEATERS FOR SECURE LOCAL AREA NETWORKS 



This invention relates to local area networks for 
providing intercommunication between computers 
and/or other digital equipment (hereinafter called 
data termination equipment and abbreviated to 
DTE). More particularly, it is concerned with net- 
works of the kind in which DTE's are connected 
(normally via a media attachment Unit (MAU), also 
called a transceiver) to a common transmission 
medium such as a coaxial cable, a twisted pair 
cable or an optical fibre and in which digital repeat- 
ers (usually multiport repeaters, MPR's) are used 
to restore digital signals that have been attenuated 
or otherwise degraded and to provide for branching 
when required. The invention includes improved 
repeaters and the networks in which they are used. 

The invention is primarily (but not exclusively) 
concerned with networks operating Carrier Sense 
Multiple Access techniques with collision detection 
(CSMA/CD). The best-known networks of this type 
are those specified by the International Standards 
Organisation as ISO 8802/3 networks and by Xerox 
Corporation as "Ethernet" networks. 

In such systems, data is transmitted in frames 
which have a limited range of lengths and are 
normally made up of a meaningless preamble (for 
establishing synchronisation), a start-of-frame in- 
dicator, a destination address segment, a source 
address segment, a control segment (indicating, for 
instance, the frame length), a segment of data 
(often beginning with a frame or protocol identifica- 
tion) to be transmitted to the DTE identified by the 
address identification, and a frame check segment 
for verifying accuracy of transmission. 

MPR's repeat frames received on an input port 
indiscriminately to all their output ports and nec- 
essarily (because of delay limits imposed by the 
network specifications) begin to retransmit before 
the complete frame has been received. 

A local area network as so far described is 
insecure, in the sense that any DTE can transmit 
data to any other and that an eavesdropper gaining 
access to the transmission medium can read all the 
data. 

In known systems, a measure of security may 
be achieved by physically subdividing the trans- 
mission medium into groups using components 
called "bridges" which receive and store computer 
data frames and can then analyse them and deter- 
mine whether they are authorised frames and if so 
to which of its output ports they need to be re- 
transmitted. However, bridges are much more ex- 
pensive than MPR's and introduce a delay in ex- 
cess of the frame length. 

The present invention provides repeaters with 
security features such that in a local area network 



in which they are used the expense and signal 
delay inherent in the use of bridges can be avoid- 
ed, or at least minimised. 

In accordance with the invention, a repeater is 

s characterised by having (in addition to whatever 
known repeater functions are desired) means for 
storing access rules for the DTE's connected to it; 
means for reading at least one portion of the frame 
selected from the destination address segment, the 

10 source address segment, the control segment and 
the frame or protocol identifier (if present) of each 
incoming data frame and comparing the portion or 
portions so read with the stored access rules to 
determine whether the frame is permitted or not; 

75 and means for corrupting the frame in retransmis- 
sion if it determines that it is not. 

When the portion of the frame selected to be 
read is in the control segment, it may be the whole 
segment or it may be only a part of the segment 

20 that is relevant to the decision to be made. In most 
(but not necessarily all) other cases, the whole of 
the appropriate address segment or of the identifier 
should be read. 

The access rules may be written to their stor- 

25 ing means in various ways, depending (among 
other things) on the level of security required. For 
example, a degree of security can be achieved by 
allowing a learning period when the network is first 
set up in which the repeater M self-learns" which 

30 DTE's are connected to each of its ports and thus 
sets up its own access rules for each port forbid- 
ding the transmission thereafter of any frame with a 
source address not corresponding with a DTE not 
connected to that port during the learning period. 

35 More sophisticated rules can be loaded (or 
self-learned rules can be editied) using data pro- 
vided as control frames from a network manager, 
or if the possibility of the network manager being 
misused or counterfeited needs to be allowed for, 

40 from a special input device (a key pad or a mobile 
memory device, for instance) coupled to the re- 
peater itself and protected from misuse either by 
password protection or by removing the input de- 
vice once the access rules have been written. In 

45 extreme cases, the means provided in the repeater 
for coupling the input device could be destroyed 
after use. or the rules could be inserted as a pre- 
programmed ROM encapsulated along with key 
components of the repeater to prevent substitution. 

so Either one or both of the destination address 
segment and the source identification segment 
may be read and compared with the stored access 
rules, depending on the nature of the rules to be 
applied. For example, if the physical connections 
are such that all the DTE's connected to a particu- 
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lar input port (or group of ports) of a repeater have 
unl.rn.ted access to the network, then there is no 
point in comparing the destination address seg- 
ments of frames received on that port, and it is 
only necessary to check the source address seg- 
ment to verify that the DTE in question is authoris- 
ed to be connected there. Similarly, if physical 
secunty can be relied on to prevent unauthorised 
connections and all the DTE's connected to a port 
(or group of ports) have the same (but limited) 
access to other parts of the network, then only the 
destination address segment needs to be read and 
compared. 

Subject to the limitations set by comparison 
time and storage space, each DTE may have its 
own access rules, independently of all the others 
or if the DTE's are organised in groups with com- 
mon access rules, then it is possible for individual 
10 be allocated to more than one of the 
groups; for example, a departmental accountant's 
terminal could have access to all the other termi- 
nals within his department and also to other ac- 
countants' terminals outside the department, with- 
out the need to give unnecessary access between 
the remaining terminals of those two groups 

Ideally, all the data contained in an unauthoris- 
ed frame should be corrupted, and this presents no 
problems if the destination address segment shows 
the frame to be unauthorised; if however it is the 
source address, the control frame or the frame or 
protocol identifier segment that shows the frame to 
be unauthorised, the time taken to make compari- 
sons may be such that a few bytes of data may be 
retransmitted without corruption. If this is consid- 
ered unacceptable, high-speed comparison algo- 
rithms may be used and/or the system protocol 
may be modified so that there will be an appro- 
pnate number of meaningless bytes at the begin- 
ning of the data segment. 

Data may be corrupted, when required, by 
overwriting a series of binary digits selected from 
all Vs. all O's, cyclically repeated sequences and 
pseudo-random sequences. The first two require 
no more complex generating means than a simple 
logic gate, say a non-exclusive OR gate, receiving 
the incoming data on one input and a permitted/not 
permitted flipflop signal on its other input so as to 
pass the data to output if the flipflop is set 
"permitted" but a continuous "high" or "low" out- 
put if it is set "not permitted". 

Cyclically repeated or pseudo-random se- 
quences can be read from memory or generated 
when required by conventional means. 

Data may alternatively be corrupted by encryp- 
ting it in a manner that cannot be decrypted by the 
OTPs of the network, except possibly one or a few 
authorised DTE's (for instance the network control- 
ler). This provides the facility for the controller or a 



security unit, to be informed of the content of the 
corrupted frame. 

If desired, a repeater which detects an un- 
authonsed frame may, in addition to corrupting, it 
s switch off the port on which such a frame was' 
received and/or the port to which the DTE it was 
addressed to is connected. Preferably it only does 
so if it knows that the port concerned is not con- 
nected to another repeater. 
10 On occasion, an unauthorised person gaining 
access to a network may not be concerned to 
transmit unauthorised data, nor to read data from 
the network, but to prevent proper functioning of 
the network. One easy way of so "jamming" a 
is conventional network is to inject into it a rapid 
succession of frames that conform to the system 
protocol, so that any other user seeking to transmit 
will encounter a "collision". As a precaution against 
this form of abuse, the repeater in accordance with 
20 the invention may additionally be fitted with a timer 
(or frame counter) device arranged to limit the 
number of consecutive frames that will be accepted 
on any one port and to switch off that port if the 
limit is exceeded. 
25 if desired, the repeater in accordance with the 
invention may be switchable (eg by a local key- 
operated switch or by a control frame from a net- 
work manager) between secure operation in accor- 
dance with the invention and ordinary, insecure 
30 operation; the latter may be desirable, for example' 
dunng fault testing and identification. 

The invention will be further described by way 
of example with reference to the accompanying 
drawings in which Figure 1 is a diagram of a 
as network in accordance with the invention incor- 
porating four multiport repeaters and Figure 2 is a 
block diagram of those parts of a multiport repeater 
that are relevant to understanding of the present 
invention. 

40 The network of Figure 1 comprises 14 items of 
data termination equipment, DTE 1 to DTE 14 
(which may for example be general purpose per- 
sonal computers, dedicated word processors, print- 
ers, disc drives etc), and a network controller C 
is Each of these is connected through its own media 
access unit MAU 1 to MAU 15 to one or other of 
three multiport repeaters MPR 1, MPR 2 and MPR 
3; these are in turn interconnected by the remain- 
ing repeater MPR 4. 
so Figure 2 shows one module serving ports 1 to 
4 of an MPR, the assumption for the purpose of 
illustration being that there is at least one other 
module serving further ports, and that the access 
rules will be the same for all the ports connected to 
ss this module. 

The most basic conventional function of the 
MPR is served by the inputs received on any one 
of ports 1 to 4 passing via respective port interface 
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units 5 and multiplexors 6 and 7 to a first in/first out 
memory 8. This is inert until enabled by a signal 
from a start of frame detecter 9, and then begins to 
store the incoming data. In the meantime, a pre* 
amble generater 10 has begun to output a pre- 
amble signal through the multiplexor 1 1 to all of the 
port interfaces, which will pass it to their respective 
ports except in the case of the port receiving the 
incoming signal. Preamble transmission continues 
until a counter 12 indicates that the prescribed 
length of preamble has been outputted. Provided 
there are then at least 3 bits of data in the memory 
8, the multiplexor 1 1 is switched to begin reading 
out the data stored in the memory, and in the 
ordinary way will continue to do so until the com- 
plete frame has been received into and then read 
from the memory 8. 

However, in accordance with the invention, the 
incoming signal is also passed via a shift register 
13 which extracts the destination address and the 
source address in parallel form to latches 14 and 
15 which are switched by counters 16 enabled by 
the start of frame signal from detecter 9. These are 
passed to comparators 17 and compared with the 
access rules previously stored in a database 18. 

If the comparators indicate that the frame is not 
in accordance with the rules contained in the 
database, then a signal is output via a delay 19 
(serving to ensure that the source address will 
never be corrupted) to the multiplexor 7, and cause 
it to transmit, for the remainder of the length of the 
frame, a meaningless sequence of digits available 
to it from a sequence generator 20 instead of the 
incoming signal. Preferably when such a signal is 
given, data is also transmitted to the network con- 
troller C identifying the port on which the frame 
concerned was received, the destination address 
and source address of the frame and the reason for 
the decision that the frame was unauthorised. If 
desired, this signal may be separated from the 
system data signals into a separate signalling me- 
dium, designated on the diagram as an info bus. 

The repeater provides in addition conventional 
facilities for detecting a collision and transmitting 
jam signals in response to it, for extending signal 
fragments arising from collisions and for disabling a 
port on which excessive collisions or frame lengths 
exceeding the protocol limit are indicative of faulty 
equipment. 

Suppose, by way of example, that DTE's 1 to 5 
need to communicate with each other but with 
none of the other DTEs. DTE's 6 to 9 similarly 
need access only to each other but DTE 10 needs 
access not only to DTE 6 to 9 but also DTEs 1 1 to 
14; obviously, all the DTE's need to be in commu- 
nication with the network controller C. This could 
be achieved by connecting MAUs 1 to 5 to one 
module (or to separate modules with the same 



instructions in their address rule databases) in 
MPR 1, MAU 6 to 9 to one module and MAU 10 to 
a separate module in MPR 2 and similarly MAUs 
11 to 14 to one module and MAU 15 to a second 

5 module in MPR 3. In MPR 1, the address database 
needs to be loaded with rules accepting destination 
addresses corresponding to the network controller 
C and to its own DTE's 1 to 5 but no other, and 
may optionally be loaded with the source address- 

to es of its own DTE's 1-5 in order to reject signals 
from an additional DTE connected to it without 
authority. The first module of MPR 2 is correspond- 
ingly loaded. The second module of MPR 2, on the 
other hand, is loaded with rules accepting destina- 

75 tion addresses corresponding to MAU's 6 to 9 and 
11 to 14 as well as to the network controllers MAU 
15 (and if required to accept no source address 
except that of DTE 10). 

The first module of MPR 3 is loaded with rules 

20 accepting destination addresses corresponding to 
any of MAU's 10-15 (and optionally to accept only 
source addresses corresponding to MAU's 11 to 
14); and the second module of MPR 3 is loaded to 
accept any destination address (and preferably to 

25 accept no source address except that of the net- 
work controller C). 

MPR 4 may, if physical security is reliable, be 
a conventional MPR without security features; or it 
may be a repeater in accordance with the invention 

so loaded with analagous rules to provide additional 
security. 

Note that in this example, the network has 
been so arranged that each destination address 
and each source address is either accepted or 

35 rejected unconditionally. This has the advantage of 
requiring the shortest processing time, and con- 
sequently allowing an unauthorised frame to be 
corrupted from as nearly as possible the beginning 
of its data segment. It is however possible, subject 

40 to process time limitations, to provide conditional 
rules allowing certain destination addresses to be 
accessed from some but not all of the DTE's 
connected to the module in question. 

45 

Claims 

1. A secure repeater for use in a local area net- 
work including means for receiving incoming 

so data frames and for retransmitting them during 

a time interval that begins before the complete 
frame of data has been received and charac- 
terised by a means for storing access rules for 
the DTE's connected to it; means for reading 

55 at least one portion of the frame selected from 
the destination address segment, the source 
address segment, the control segment and the 
frame or protocol identifier (if present) of each 
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incoming data frame and comparing the por- 
tion or portions so read with the stored access 
rules to determine whether the frame is permit- 
ted or not; and means for corrupting the frame 
in retransmission if it determines that it is not. s 

2. A repeater as claimed in claim 1 including 
means for reading and comparing both the 
destination address segment and the source 
address segment of the incoming frame. 1Q 

3. A repeater as claimed in claim 1 or claim 2 in 
which the said means for corrupting the data 
frame comprises means for overwriting it with 

a series of binary digits selected from all rs, rs 
all O's, cyclically repeated sequences and 
pseudo-random sequences, 

I. A repeater as claimed in Claim 1 or Claim 2 in 
which the means for corrupting the data frame 20 
is encrypting means. 



5. A repeater as claimed in any one of the pre- 
ceding claims in which the said access rules 
are self-learned on the basis of the identity of 
equipment connected to its ports during an 
initial learning period, 

>. a repeater as claimed in any one of claims 1-4 
in which the said access rules are written to 
the repeater by a network manager. 

r . A repeater as claimed in any one of claims 1-4 
in which the said access rules are written to 
the repeater from an input device coupled to it 
and removed once the acces rules have been 
written. 



i. A repeater as claimed in any one of claims 1-4 
in which the said access rules are written to aq 
the repeater by an input device protected from 
misuse by password protection. 

>. A repeater as claimed in any one of the pre- 
ceding claims in which, when an unauthorised 45 
frame is detected, in addition to the frame 
being corrupted the port on which it was re- 
ceived and/or the port to which the DTE it was 
addressed to is connected is switched off. 

50 

0. A repeater as claimed in any one of the pre- 
ceding claims including means for switching 
off any input port on which a number of con- 
secutive frames in excess of a predetermined 
limit are received. « 
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Fig.2(cont) 
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